1firewalld_selinux(8)       SELinux Policy firewalld       firewalld_selinux(8)
2
3
4

NAME

6       firewalld_selinux  -  Security  Enhanced Linux Policy for the firewalld
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the firewalld  processes  via  flexible
11       mandatory access control.
12
13       The  firewalld processes execute with the firewalld_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep firewalld_t
20
21
22

ENTRYPOINTS

24       The  firewalld_t  SELinux  type can be entered via the firewalld_exec_t
25       file type.
26
27       The default entrypoint paths for the firewalld_t domain are the follow‐
28       ing:
29
30       /usr/sbin/firewalld
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       firewalld  policy  is very flexible allowing users to setup their fire‐
40       walld processes in as secure a method as possible.
41
42       The following process types are defined for firewalld:
43
44       firewalld_t
45
46       Note: semanage permissive -a  firewalld_t  can  be  used  to  make  the
47       process  type  firewalld_t  permissive. SELinux does not deny access to
48       permissive process types, but the AVC (SELinux  denials)  messages  are
49       still generated.
50
51

BOOLEANS

53       SELinux  policy  is customizable based on least access required.  fire‐
54       walld policy is extremely flexible and has several booleans that  allow
55       you to manipulate the policy and run firewalld with the tightest access
56       possible.
57
58
59
60       If you want to allow all domains to execute in fips_mode, you must turn
61       on the fips_mode boolean. Enabled by default.
62
63       setsebool -P fips_mode 1
64
65
66
67       If  you  want  to  allow  system  to run with NIS, you must turn on the
68       nis_enabled boolean. Disabled by default.
69
70       setsebool -P nis_enabled 1
71
72
73

MANAGED FILES

75       The SELinux process type firewalld_t can manage files labeled with  the
76       following file types.  The paths listed are the default paths for these
77       file types.  Note the processes UID still need to have DAC permissions.
78
79       cluster_conf_t
80
81            /etc/cluster(/.*)?
82
83       cluster_var_lib_t
84
85            /var/lib/pcsd(/.*)?
86            /var/lib/cluster(/.*)?
87            /var/lib/openais(/.*)?
88            /var/lib/pengine(/.*)?
89            /var/lib/corosync(/.*)?
90            /usr/lib/heartbeat(/.*)?
91            /var/lib/heartbeat(/.*)?
92            /var/lib/pacemaker(/.*)?
93
94       cluster_var_run_t
95
96            /var/run/crm(/.*)?
97            /var/run/cman_.*
98            /var/run/rsctmp(/.*)?
99            /var/run/aisexec.*
100            /var/run/heartbeat(/.*)?
101            /var/run/corosync-qnetd(/.*)?
102            /var/run/corosync-qdevice(/.*)?
103            /var/run/corosync.pid
104            /var/run/cpglockd.pid
105            /var/run/rgmanager.pid
106            /var/run/cluster/rgmanager.sk
107
108       firewalld_etc_rw_t
109
110            /etc/firewalld(/.*)?
111
112       firewalld_tmpfs_t
113
114
115       firewalld_var_run_t
116
117            /var/run/firewalld(/.*)?
118            /var/run/firewalld.pid
119
120       root_t
121
122            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
123            /
124            /initrd
125
126

FILE CONTEXTS

128       SELinux requires files to have an extended attribute to define the file
129       type.
130
131       You can see the context of a file using the -Z option to ls
132
133       Policy  governs  the  access  confined  processes  have to these files.
134       SELinux firewalld policy is very flexible allowing users to setup their
135       firewalld processes in as secure a method as possible.
136
137       EQUIVALENCE DIRECTORIES
138
139
140       firewalld policy stores data with multiple different file context types
141       under the /var/run/firewalld directory.  If you would like to store the
142       data  in a different directory you can use the semanage command to cre‐
143       ate an equivalence mapping.  If you wanted to store this data under the
144       /srv directory you would execute the following command:
145
146       semanage fcontext -a -e /var/run/firewalld /srv/firewalld
147       restorecon -R -v /srv/firewalld
148
149       STANDARD FILE CONTEXT
150
151       SELinux defines the file context types for the firewalld, if you wanted
152       to store files with these types in a diffent paths, you need to execute
153       the  semanage  command  to  sepecify  alternate  labeling  and then use
154       restorecon to put the labels on disk.
155
156       semanage fcontext -a  -t  firewalld_unit_file_t  '/srv/myfirewalld_con‐
157       tent(/.*)?'
158       restorecon -R -v /srv/myfirewalld_content
159
160       Note:  SELinux  often  uses  regular expressions to specify labels that
161       match multiple files.
162
163       The following file types are defined for firewalld:
164
165
166
167       firewalld_etc_rw_t
168
169       - Set files with the firewalld_etc_rw_t type, if you want to treat  the
170       files as firewalld etc read/write content.
171
172
173
174       firewalld_exec_t
175
176       -  Set  files with the firewalld_exec_t type, if you want to transition
177       an executable to the firewalld_t domain.
178
179
180
181       firewalld_initrc_exec_t
182
183       - Set files with the firewalld_initrc_exec_t type, if you want to tran‐
184       sition an executable to the firewalld_initrc_t domain.
185
186
187
188       firewalld_tmp_t
189
190       -  Set  files with the firewalld_tmp_t type, if you want to store fire‐
191       walld temporary files in the /tmp directories.
192
193
194
195       firewalld_tmpfs_t
196
197       - Set files with the firewalld_tmpfs_t type, if you want to store fire‐
198       walld files on a tmpfs file system.
199
200
201
202       firewalld_unit_file_t
203
204       -  Set  files with the firewalld_unit_file_t type, if you want to treat
205       the files as firewalld unit content.
206
207
208
209       firewalld_var_log_t
210
211       - Set files with the firewalld_var_log_t type, if you want to treat the
212       data  as  firewalld  var  log  data,  usually stored under the /var/log
213       directory.
214
215
216
217       firewalld_var_run_t
218
219       - Set files with the firewalld_var_run_t type, if you want to store the
220       firewalld files under the /run or /var/run directory.
221
222
223       Paths:
224            /var/run/firewalld(/.*)?, /var/run/firewalld.pid
225
226
227       Note:  File context can be temporarily modified with the chcon command.
228       If you want to permanently change the file context you need to use  the
229       semanage fcontext command.  This will modify the SELinux labeling data‐
230       base.  You will need to use restorecon to apply the labels.
231
232

COMMANDS

234       semanage fcontext can also be used to manipulate default  file  context
235       mappings.
236
237       semanage  permissive  can  also  be used to manipulate whether or not a
238       process type is permissive.
239
240       semanage module can also be used to enable/disable/install/remove  pol‐
241       icy modules.
242
243       semanage boolean can also be used to manipulate the booleans
244
245
246       system-config-selinux is a GUI tool available to customize SELinux pol‐
247       icy settings.
248
249

AUTHOR

251       This manual page was auto-generated using sepolicy manpage .
252
253

SEE ALSO

255       selinux(8), firewalld(8), semanage(8), restorecon(8), chcon(1),  sepol‐
256       icy(8), setsebool(8)
257
258
259
260firewalld                          21-03-26               firewalld_selinux(8)
Impressum